Security fears threaten RFID adoption

The danger of hacked and cloned wireless ID tags poses a challenge to governments and firms alike

Experts are divided on the scale of the security risk posed by radio frequency identification (RFID) wireless tag technology after a computer expert demonstrated that data held on the tags could be easily cloned.

At the Defcon security conference in Las Vegas, Lukas Grunwald of German security company DN-Systems demonstrated a way to copy information between RFID tags, including those used in new e-passports and corporate access cards.

Grunwald said the technique had taken just "two weeks and $5,000 in legal fees to develop" using inexpensive RFID hardware and scanners and homegrown software.

While Grunwald was not able to manipulate or change data held on the tags - limiting its usefulness for forging e-passports holding biometric data - the approach did quickly copy data onto new tags, posing a potential security risk for firms using the technology in corporate access cards or to authenticate products such as medicines or manufacturing components.

Nigel Montgomery of analyst firm AMR Research branded the demonstration as " sensationalist", and said the security threat posed by RFID tags was still " minimal", but admitted it was likely to hamper adoption of RFID technologies.

"RFID tags are not 100 percent secure, but what is?" Montgomery asked. " People could copy data held on tags, but it is far easier for them to copy a label and a barcode [on counterfeit medicines, for example] than find the radio frequency, copy the tag and decrypt it so they can understand what's on it."

However, Roy Illsley of analyst firm Butler Group said the news showed RFID technology can pose a real security risk for firms. "The biggest issue is the reader and the tag tend to be at the edges of organisations, ie in depots, so theoretically these represent soft entry points into an organisation," he said.

Illsley added that in the future the tags could provide an entry point for viruses or could be easily copied, making their usefulness for tackling counterfeit goods "null and void".

Adam Jura of analyst Datamonitor agreed the ability to clone tags could provide opportunities for fraudsters, as a cloned tag for an expensive product could easily be attached to a counterfeit or cheaper version.

Experts agreed firms need to consider security issues when making RFID deployment decisions. "If you are talking to suppliers about RFID solutions my advice would be to get your security experts along as well," said Illsley. "You have to ask questions about the firewall on the system and how you can limit the risk of duplication."

Separately, IBM has unveiled a new RFID system to track pharmaceutical products. The system, built on IBM's WebSphere middleware platform, allows pharmaceutical firms to track products through their supply chain, and can help tackle counterfeit drugs, and ensure medicines match prescriptions.